Previous     Contents     Index          Next     
iPlanet Directory Server Access Management Edition Administration Guide



Chapter 3   Policy Management


This chapter describes the policy service management features of iPlanet Directory Server Access Management Edition (DSAME). The Policy Management interface provides a way to view, manage and configure all DSAME policies. This chapter contains the following sections:



The Policy Service

Every business has a need to protect its resources. This is done by configuring and managing rules that define who can do what to which resource. The DSAME Policy Service allows an organization to set up these rules or policies.

Each DSAME service that is written to enforce policies must have a policy schema. A policy schema is a set of rules and all their possible values. In DSAME, a policy schema is defined in an XML document that describes the full range of policy options available for a given service. From the policy schema, an administrator can create named policies, in the Policy Management view, to apply at different levels (role or organization). These named policies, once created, are then assigned to a specific role or organization within the User Management view.

DSAME ships with one policy service, the URL Policy Agent, and one sample mail service. For more information on the sample mail service and writing new policy schema, see the iPlanet Directory Server Access Management Edition Programmer's Guide.



The URL Policy Agent


A URL Policy Agent is a plug-in that enforces web access rules. The URL Policy Agent plugs into the iPlanet Web Server and performs two functions:

  1. It validates a user's sign on.

  2. It enforces the user's URL access.


Validating a User's Sign On

Once a user has logged in to DSAME, each request to the server will contain a user identification token which, in effect, proves that they have been successfully authenticated. The token is unique for a user on a given server. Once the URL Policy Agent intercepts a user's request, it looks for this token to verify that it represents an authenticated user. If the user is represented properly, the request is passed forward and subjected to the user's URL policy enforcement. If the user is not verified, the user is redirected to the Authentication page. (Similarly, if there is no user identification token at all, the user is redirected to the Authentication page.)


Enforcing URL Access

Once a user's identification is verified, the URL Policy Agent checks the user's URL access policies to find out the user's level of access. The URL being requested can be assigned to one of three attributes that are inherited by every entity in an organization's hierarchy when the URL Policy Agent service is registered. These three attributes are Allow, Deny or Not Enforced.

  • Allow

    iplanet-am-web-agent-access-allow-list is the attribute that contains all the URLs that an authenticated user is allowed to access.

  • Deny

    iplanet-am-web-agent-access-deny-list is the attribute that contains all the URLs that an authenticated user is not allowed to access.

  • Not Enforced

    iplanet-am-web-agent-access-not-enforced-list is the attribute that contains all the URLs that are not subjected to URL policy enforcement. However, user authentication is still required to ensure the value of this attribute.

The values of these three attributes are obtained from the aggregation of a user's roles.



Hierarchy Of Enforcement


In the enforcement of policy, deny privileges takes precedence over allow privileges. An empty Deny list will allow only those resources that are allowed by the Allow list. An empty Allow list will not allow access to any resources except those in the Not Enforced list. If the URL access policy cannot be resolved between the Deny and Allow lists, access will not be allowed to the resource.

The following URLs are default values of the Not Enforced option located in the AMConfig.properties file. No authentication is required for this option (named com.iplanet.am.policy.agents.url.notenforcedlist.local):

  • http://<host>:<port>/amserver/console*

  • http://<host>:<port>/amserver/login*

  • http://<host>:<port>/amserver/images*

  • http://<host>:<port>/amserver/admin*

  • http://<host>:<port>/amserver/docs*

  • http://<host>:<port>/amserver/logout

  • http://<host>:<port>/amserver/index.html

  • http://<host>:<port>/amserver/namingservice

  • http://<host>:<port>/amserver/loggingservice

  • http://<host>:<port>/amserver/sessionservice

  • http://<host>:<port>/amserver/profileservice

  • http://<host>:<port>/amagent/html/URLAccessDenied.html

Allowing all users access to these URLs makes user authentication possible. Any edits made to the AMConfig.properties file require a server restart of the agent.


How the URL Policy Agent Works

Below is a description of how the URL Policy Agent works.

  1. Upon initialization, the URL Policy Agent reads the Not Enforced list from the AMConfig.properties file. Because access to the /login screen is not enforced, the user is able to view the login page.

  2. After successful user authentication, the user's URL access is Not Enforced until the user's URL Policy values are found.

  3. DSAME applies the Deny URLs to the user's URL access.

  4. DSAME applies the Allow URLs to the user's URL access.

  5. The user's policy profile is complete for this authentication session.



Policy Management

Policies are configured using the Policy Management interface. This interface provides a means for:

  • The Top Level Administrator to view, create, delete and modify policies for a specific service that can be used across all organizations.

  • An organization's or sub-organization's administrator to view, create, delete and modify policies for specific use by the organization.

In general, policy is created at the organization (or sub-organization) level to be used throughout the organization's tree. In order to create a named policy, the specific policy service must first be registered to the organization under which the policy will be created.


Registering Policy Services

Registering a policy service is the same as registering any type of service; it is done within the User Management interface.

  1. Navigate to User Management by choosing View User Management.

    When the DSAME console opens, the default interface is User Management.

  2. Choose the organization for which you would like to create policy.

    If logged in as the Top Level Administrator, make sure that the location of the User Management interface is the top level organization where all configured organizations are visible. The default top level organization is o=isp.

  3. Choose Services from the Show menu.

    If the organization already has registered services, they will be displayed in the navigation pane.

  4. Click Register in the navigation pane.

    A listing of services not yet registered to this organization are displayed in the data pane.

  5. Select URL Policy Agent checkbox from Register Services.

    The URL Policy Agent service is now registered to the chosen organization.


    Note Sub-organizations must register their policy services independently of their parent organization. In other words, the sub-organization o=suborg,o=iplanet,o=isp will not inherit the policy service from its parent o=iplanet,o=isp.



Creating Named Policies

Policies are created through the Policy Management interface. Once a named policy is created, it can be assigned to roles or organizations via the User Management interface.

  1. Navigate to Policy Management by choosing View Policy Management.

    Policies can only be created under an organization if that organization has first registered the URL Policy Agent service. See Registering Policy Services above.

  2. Choose the organization for which you would like to create a policy.

    Ensure that the location of the Policy Management window is correct for your organization. The default top level organization is o=isp.

  3. Choose Policies from the Show menu.

    By default, Organizations is visible in the Show menu. All sub-organizations configured, if any, will be visible below it. If creating policies for a sub-organization, choose the sub-organization and then choose Policies from the Show menu.

  4. Click New in the navigation pane.

    The New Policy window in the data pane opens. Service URL Policy Agent is selected by default as it is the only policy service available. To add other policy services, see the iPlanet Directory Server Access Management Edition Programmer's Guide.

  5. Type a name for the policy and click Create.

    The new policy rule window opens under the policy name created.

  6. Choose an action for the URL Policy Service.

    The choices Allow, Deny or Not Enforced are explained in "Enforcing URL Access".

  7. Type a resource in the Resource field and press Add Rule for the URL Policy Service.

    Currently, the only resources that can be enforced are http:// and https:// addresses. Wild cards are also supported.

  8. Repeat Step 6 and Step 7 to add additional actions to the URL policy.

  9. Click Save to complete the named policy's configuration.

    Actions that have already been added to a policy can be deleted by checking the Select box next to the action and pressing Delete.


Assigning Named Policies

Once a policy has been named and created, it can be assigned to the organization or role. This is done using the User Management interface. Assigning a policy at the organization level makes its attributes available to all entries in the organization. Assigning policy to a role makes its attributes available to all users who contain the role attribute.


Assigning Named Policies to an Organization

  1. Navigate to User Management by choosing View User Management.

    When the DSAME console opens, the default window is User Management.

  2. Choose the organization for which you would like to assign a named policy.

    Ensure that the location of User Management is correct for your organization. The default top level organization is o=isp.

  3. Choose Policies from the Show menu.

    If the organization already has policies assigned to it, they are displayed in the navigation pane. If the Assign Policies interface is not visible, click Assign and all unassigned policies will be displayed in the data pane.

  4. Select the box (or boxes) next to the unassigned policy (or policies) and click Assign.

    The chosen policy (or policies) will be displayed in the navigation pane. The policy is now assigned to the organization.


Assigning Named Policies to a Role

  1. Navigate to User Management by choosing View User Management.

    When the DSAME console opens, the default window is User Management.

  2. Choose Organizations from the Show menu.

    If the role to which you would like to assign a named policy is in the top level organization, choose Roles from the Show menu and skip to Step 4. (The default top level organization is o=isp.)

  3. Choose Roles from the Show menu.

    All configured roles for the organization are displayed in the navigation pane.

  4. Select the role to which you would like to apply a policy.

    The chosen role displays in the Location field in the uppermost window.

  5. Choose Policies from the Show menu.

    If the role already has policies assigned to it, they are displayed in the navigation pane.

  6. Click Assign to see a list of all unassigned policies.

  7. Choose the box (or boxes) next to the unassigned policy (or policies) and click Assign.

    The chosen policy (or policies) displays in the navigation pane. The policy is now assigned to the role.


    Note If multiple named policies are assigned to a role or organization, the values for allow and deny will be aggregated. If a priority is desired, the policy schema (XML) can be modified.



Previous     Contents     Index          Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated May 09, 2002